git.ipfire.org Git - thirdparty/nftables.git/commit

author	Pablo Neira Ayuso <pablo@netfilter.org>
	Tue, 3 May 2022 15:51:36 +0000 (17:51 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Tue, 3 May 2022 21:45:21 +0000 (23:45 +0200)
commit	0a6dbfce6dc30a3bf2ef560f4f4dbccf9b53f1d8
tree	539360f8067d63498aad3425ef9f7ab3d9f8e701	tree
parent	743b0e81371f0e5a6d70375e8efd7fbe9b00cae7	commit \| diff

optimize: merge nat rules with same selectors into map

Verdict and nat are mutually exclusive, no need to support for this
combination.

# cat ruleset.nft
table ip x {
        chain y {
type nat hook postrouting priority srcnat; policy drop;
                ip saddr 1.1.1.1 tcp dport 8000 snat to 4.4.4.4:80
                ip saddr 2.2.2.2 tcp dport 8001 snat to 5.5.5.5:90
        }
}

# nft -o -c -f ruleset.nft
Merging:
ruleset.nft:4:3-52:                ip saddr 1.1.1.1 tcp dport 8000 snat to 4.4.4.4:80
ruleset.nft:5:3-52:                ip saddr 2.2.2.2 tcp dport 8001 snat to 5.5.5.5:90
into:
        snat to ip saddr . tcp dport map { 1.1.1.1 . 8000 : 4.4.4.4 . 80, 2.2.2.2 . 8001 : 5.5.5.5 . 90 }

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

src/optimize.c		diff \| blob \| blame \| history
tests/shell/testcases/optimizations/dumps/merge_nat.nft	[new file with mode: 0644]	blob
tests/shell/testcases/optimizations/merge_nat	[new file with mode: 0755]	blob